Authorities have become more strict in enforcing healthcare rules, and this has led to more frequent and costly fines for HIPAA violations. The Office for Civil Rights (OCR) has amassed a total of $15m in fines in just the first seven months of 2016. This is why managed service providers and IT consultants remain the go-to experts for preventing disaster.
Violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) can lead to sanctions, civil money penalties, and even criminal penalties. The law protects patient information and medical records and ensures healthcare providers comply with security and privacy rules. Here are few reasons why HIPAA is so important, both to medical professionals and patients:
- HIPAA prevents identity theft, by ensuring medical providers do not disclose patient information;
- Patients have complete, unrestricted access to a copy of their personal medical records;
- HIPAA protects patient confidentiality and ensures that every healthcare institution has a compliance department.
HIPAA fines start from a minimum of $100 per violation and go up to $50,000 per violation when the infraction happened unknowingly. The fines are a minimum of $50,000 for cases of willful neglect, and cap at an annual $1.5 million. If we look back just a few years, we can find cases where organizations paid millions in fines. It’s cases like these that show the ever-growing importance of business continuity strategies and data breach prevention.
Below we’ve rounded up some of the most costly HIPAA fines paid in history.
Advocate Health Care (AHC) Settles Penalties for $5.55m
One of the latest cases settled by the OCR is also the most costly payment ever recorded. Advocate Health Care Network (Advocate) has agreed to a settlement of $5.5m in 2016 after an investigation showed it has failed to protect patient data.
Apparently, AHC lost data for almost 4 million patients in 2013. It looks like one of its employees left an unencrypted laptop in an unlocked car overnight. The company did not conduct a risk assessment of its system and implement basic safety protocols for electronic records safety.
Memorial HC System for $5.5m
First, MHS reported that two employees had stolen and sold ePHI. That led to an internal investigation that revealed 12 more employees at its affiliated physician offices had used the login of a former employee to impermissibly access ePHI on a daily basis for 13 months between 2011 and 2012.
In all, the ePHI of 115,143 individuals had been compromised. Several risk assessments between 2007 and 2012 had identified the risk, but MHS had never acted on it.
New York-Presbyterian Hospital and Columbia University Pay $4.8m
The New York-Presbyterian Hospital and Columbia University, who share a data network together, also had to settle a case for the incredible amount of $4.8m. The two institutions lost vital information for thousands of their patients during a data breach in 2014.
According to authorities, a physician attempted to deactivate a personal computer server on the network containing patient data. Because of a lack of technical safeguards, patient’s records ended up on internet search engines. Data for 6,800 individuals was disclosed, including patient status, vital signs, medications, and laboratory results.
The entities learned of the breach after a complaint by an individual who found the records for their deceased partner, on the internet, shows a press release by the HHS.
Cignet Health Found Guilty of Willful Neglect, Pays $4.3m in Fines
In 2010, the OCR found that Cignet Health of Prince George’s County, Maryland, violated patient’s rights after it failed to respond to requests for medical records. The company paid $1.3m for HIPAA violations that occurred in 2008 and 2009.
It looks like 41 patients asked for their health records and did not receive a response. Healthcare institutions must provide patients with their records within 30 days from the date of the request. The company also failed to cooperate with the Office for Civil Rights during the investigation, and ended up getting another $3m in fines for willful neglect, shows the OCR.
Feinstein Institute for Medical Research for $3.9m
In September 2012, an unencrypted laptop computer containing the ePHI of about 13,000 patients and research participants was stolen from the back seat of an employee’s car.
Violations included inaccurate and incomplete risk analysis, in addition to lack of policies and procedures governing the removal of equipment used to store ePHI from its facilities, among several other violations.
Triple-S Pays $3.5m For Multiple Data Breaches
The Triple-S Management Corporation found itself in triple trouble after multiple complaints were launched about non-compliance with HIPAA regulations.
The insurance holding settled on behalf of its subsidiaries based in San Juan, Puerto Rico, in 2015. They agreed to pay $3.5m and begin corrective measures for the issues found, shows the U.S. Department of Health and Human Services (HHS).
When It Is About HIPAA Compliance, It’s Better To Act Than React, So Make Sure You’re Not The Next Record Breaker
All these cases and many more show exactly how important compliance is in regulated industries. There is no excuse for neglecting to implement policies that can prevent privacy violations or downtime.
When it comes to compliance standards, there is no one-size-fits-all. This is why companies must always watch out for their best interest and partner with IT professionals that can handle risk assessments and management in their field.